RPT.2 EU Sanctions DD

EU Sanctions DD RPT.2: Internal Escalation Process

This control is 1 of 25 in EU Sanctions DD. Get the full checklist as a free interactive assessment with a scored gap report.

Start my free EU Sanctions DD assessment Google sign-in · No credit card · About 2 minutes

What This Control Requires

Is there a clear internal escalation process for sanctions red flags - from front-line staff to compliance to legal to authority notification?

In Plain Language

Red flags identified by sales, operations, or finance staff need a documented path to compliance decision-makers and, if necessary, to external authorities. Without a clear escalation process, critical information gets stuck at the wrong level - either because front-line staff do not know who to tell, or because middle management does not appreciate the urgency.

The EBA Guidelines on Restrictive Measures (November 2024) specifically require financial institutions, payment service providers, and crypto-asset service providers to name a specific person responsible for sanctions compliance. Not 'the compliance team' or 'the legal department' but a named individual with clear authority and responsibility. For companies outside the financial sector the Guidelines are not binding, but they are a useful reference for what a working escalation setup looks like.

The escalation process must be fast enough to meet the 2-week reporting deadline under Regulation 269/2014 - which means it cannot involve weeks of committee meetings and approval chains.

How to Implement

Create and document a sanctions escalation workflow with clear timelines:

1. Detection - front-line employee identifies a red flag (screening match, suspicious behaviour, unusual transaction)

2. Immediate report - same-day notification to the compliance officer or designated senior staff member. The EBA Guidelines require financial-sector firms to name a specific person; for everyone else this is recommended practice.

3. Assessment - compliance evaluates within 1-3 business days: clear false positive (document and close), additional due diligence needed (set deadline), or escalation to legal.

4. Legal review - if confirmed or suspected, legal advises on: blocking/freezing requirements, authority notification obligations, and business relationship decisions.

5. Authority reporting - if required, file report with the national competent authority within the 2-week deadline per Regulation 269/2014.

6. Documentation - record every step with dates, participants, decisions, and rationale.

Critical implementation details: - The escalation path must work even when key people are absent (holiday, sick leave) - define deputies. - Front-line staff must be able to escalate without managerial approval (to prevent suppression). - Set clear SLAs at each step to ensure the overall timeline fits within the 2-week reporting deadline. - Test the process annually with realistic scenarios. - Train all customer-facing and operations staff on this process.

Evidence Your Auditor Will Request

Documented sanctions escalation policy with named responsible persons and deputies
Evidence of escalation process testing (tabletop exercises, scenario drills)
Training records for front-line staff on the escalation process
Sample escalation records showing the process was followed for real or test cases
SLA documentation for each step in the escalation process

Common Mistakes

No documented escalation process - relying on informal 'talk to compliance' guidance
Named compliance officer but no defined deputies for absence periods
Escalation process too slow to meet the 2-week authority reporting deadline
Front-line staff unable to escalate directly to compliance (blocked by management layers)
No testing of the escalation process - only discovering gaps during a real incident

Related Controls Across Frameworks

Framework	Control ID	Relationship
EU Sanctions DD	EU Sanctions DD RPT.1: Mandatory Authority Reporting	Related
EU Sanctions DD	EU Sanctions DD PROG.1: Designated Sanctions Compliance Officer	Related
EU Sanctions DD	EU Sanctions DD PROG.4: Sanctions Compliance Training	Related

Frequently Asked Questions

Who should the escalation point be?

For financial institutions, payment service providers, and crypto-asset service providers, the EBA Guidelines require a 'designated senior staff member' - a named individual with sufficient authority to halt transactions and sufficient access to escalate to the board or CEO. For other companies this is recommended practice rather than a binding requirement. In larger organisations, this is typically the Chief Compliance Officer or Head of Financial Crime. In smaller companies, it may be the CFO, General Counsel, or a board member with explicit sanctions compliance responsibility. The key is authority, accessibility, and accountability.

How do we ensure front-line staff actually escalate concerns?

Three factors drive escalation behaviour: awareness (staff know what to look for), confidence (staff believe their concerns will be taken seriously), and safety (staff do not fear negative consequences for raising concerns). Achieve this through: regular training with practical scenarios, a no-blame policy for good-faith escalations, feedback loops showing staff that their escalations led to action, and making escalation easy (a dedicated email address, phone number, or reporting tool).

How often should we test the escalation process?

At least annually, and after any significant organisational change (new compliance officer, restructuring, acquisition). Tabletop exercises work well: present a realistic scenario to the team and walk through the escalation process step by step. Time each stage. Identify bottlenecks. After the exercise, document lessons learned and update the process if gaps were found.

Track EU Sanctions DD compliance in one place

AuditFront helps you manage every EU Sanctions DD control, collect evidence, and stay audit-ready. The full EU Sanctions DD checklist is included on the Free plan.

Start Free Assessment

Free plan · No credit card required

Start my free EU Sanctions DD assessment